Firewalls are a security feature used to protect a computer network from potentially hostile attacks from outside the computer network. For example, a firewall may protect a Local Area Network ("LAN") from malicious attacks from the Internet or another computer network. Firewalls typically provide security services by filtering out data traffic that may be inappropriate, suspicious or dangerous. To implement filtering, a firewall is designed to interpret the type of data traffic that is being sent through it. The more information that a firewall has about transactions taking place through it, the more security it can provide.
In firewalls known in the art, there are three broad classes of security mechanisms including: packet mode filtering; circuit mode filtering; and application gateway filtering. Packet mode filtering is the simplest of all firewall mechanisms. Packet mode filtering includes using the content of data packets passing through the firewall to determine if a packet should be allowed to pass through the firewall. For example, network addresses such as Internet Protocol ("IP") addresses and source and destination port numbers, such as Transmission Control Protocol ("TCP") or User Datagram Protocol ("UDP") port numbers are used to filter data traffic. As is known in the art, IP is an addressing protocol designed to route traffic within a network or between networks. TCP provides a connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols that support multi-network applications. UDP provides a connectionless mode of communications with datagrams in an interconnected set of networks
Circuit mode filtering includes predicting a data flow of data packets across the firewall and filtering all packets that do not conform to an expected data flow. For example, if a data flow with a predetermined class-of-service or quality-of-service is being used, data packets that do not conform to the predetenmined class-of-service or quality-of-service will be filtered.
Application gateway filtering includes using protocol layers to determine what transactions are occurring between network elements. The application gateway will either drop or terminate data sessions that are viewed as "non-conforming" to expected data transactions. For example, application gateway filtering uses a Network, Transport, or Application layer to determine what is transpiring between network elements. As is known in the art, an Open System Interconnection ("OSI") model is used to describe protocol layers in computer networks. The OSI model consists of seven layers including from lowest-to-highest, a Physical, Data link, Network, Transport, Session, Application and Presentation layer.
Application gateway filtering can also monitor multiple protocols in multiple protocol layers. For example, the H.323 networking protocol typically uses H.225 with Q.931, H.225 with Registration and Admission Status ("RAS"), H.245 and Real-Time Protocol ("RTP") during an H.323 session. As is known in the art, H.323, is the main family of video conferencing recommendations for Internet Protocol networks. RTMP is a transport layer protocol for packet based multimedia communication systems. H.323 uses RTP for its transport layer. As is known in the art, Q.931 and RAS are multimedia signaling protocols. H.245 is a control protocol for establishing multimedia communications. Real-Time Protocol ("RTP") provides a timing synchronization and sequence number mechanism when B.323 is used.
It is also possible for a firewall to combine packet mode filtering, circuit mode filtering and application gateway filtering with multiple protocols. Such a firewall uses combined filtering mechanisms to provide stronger firewall security than could be obtained by a firewall using a single filtering technique.
Firewalls help prevent a number of attacks on a computer network including: denial of service attacks; replay attacks; rewrite attacks; compromise-of-a-master key; and others. During a denial-of-service attack, a malicious user performs unwanted actions (e.g., sending thousands of data packets to request a service) to overload a network device and cause it to loose its ability to communicate with other network devices. A firewall can help prevent denial-of-service attacks by setting a limit on a number of data packets that can be received for a given action.
Replay attacks occur when a malicious user gains access to a router or other network device on a computer network that is forwarding data packets. Legitimate data packets are intercepted and then re-sent at a later time to allow the malicious user to appear as a legitimate user. A firewall helps prevent replay attacks by checking a time-stamp in the data packet that prevents the data packets from being re-sent at a later time.
Re-write attacks arc characterized by a malicious user intercepting a transmitted data packet, changing its content in some way, and then forwarding the data packet to its original destination. A firewall helps prevent re-write attacks by verifying the contents of a data packet (e.g., with a secure hashing function such as Message Digest-5 ("MD5") or encryption.
Compromise-of-a-master key attacks occur when encryption or MD5 authentication is used. It is possible for a malicious user, after a long period of time (e.g., a few days), to capture enough data packets to eventually determine what master key is being used for encryption or MD5. A firewall helps prevent compromise-of-master-key attacks by requiring a master key used for encryption or MD5 authentication be changed on a regular basis.
It is often necessary for a first network device on a first computer network inside a firewall to receive a large amount of information on a regular basis through a firewall from a second network device on second computer network outside a firewall over a third network. For example, a host computer on a Local Area Network ("LAN") receives e-mail and/or data files on a daily basis from an Internet Service Provider ("ISP") over the Internet through a firewall. The connection and transfer process, even through a firewall, is subject to attack by malicious users.
There are several problems with using firewalls to protect a computer network from a malicious attack during day-to-day transfer of information from another computer network via the Internet. In general, firewalls provide little protection against data packets that lack both authentication information in each packet or a state, time or pre-assigned sequence number that is assigned within each packet.
For example, during a data transfer process, a common denial-of-service attack that is used via the Internet is a "TCP SYN" attack. To initiate a legitimate TCP connection, a network device transmits a TCP segment with a SYnchronize sequence Numbers ("SYN") flag set in a TCP SYN segment. Since the TCP SYN segment is a legitimate TCP packet for initiating a TCP connection, a firewall cannot filter out TCP SYN segments and does not provide any protocol state to verify against too many of such segments from being sent by a malicious user to overload a system.
If data packets sent during a day-to-day transfer of information are not time-stamped, a reply attack could occur since a firewall has no way of determining when the data packets were actually sent. If authentication is not used, then re-write attacks could occur. If encryption is not used, then privacy may be lost as information being sent can be viewed by others. Thus, it is desirable to use a firewall that provides a higher-level of security to protect a computer network during day-to-day tasks.